RU2543561C1 - System for session-based resource access control - Google Patents

Abstract

FIELD: information technology.SUBSTANCE: system for session-based resource access control, comprising a unit for user identification from a request, a unit for identifying an access object and action from a request, a unit for identifying a process from a request, a unit for user identification and authentication, a unit for selection of a session by a user, a decision element unit, a unit for storing access rules, wherein the input of the unit for user identification from a request is connected to the input of the unit for identifying an access object and action from a request, the input of the unit for identifying a process from a request, the first input of the system, the output of the unit for user identification from a request is connected to the first input of the decision element unit, the second input of which is connected to the output of the unit for identifying an access object and action from a request, the third input is connected to the output of the unit for storing access rules, the first output is connected to first output of the system, the second output is connected to the first input of the unit for storing access rules, the second input of which is connected to the second input of the system, the fourth input of the decision element 6 unit is connected to the output of the unit for identifying a process from a request, the fifth input is connected to the first output of the unit for selection of a session by a user, the second output of which is connected to the second output of the system, the input/output of the user identification and authentication unit is connected to the first input/output of the system, the input/output of the unit for selection of a session by a user is connected to the second input/output of the system, the third input of the unit for selection of a session by a user is connected to the second input of the user identification and authentication unit, the second input of the system, the output of the user identification and authentication unit is connected to the sixth input of the decision element unit, the second input of the unit for selection of a session by a user.EFFECT: broader functional capabilities of the system for controlling access to resources by implementing session-based resource control, wherein the access subject is defined by three entities - a session, a user and a process.1 tbl, 2 dwg

Description

The invention relates to the field of computer technology, and in particular to the field of protection against unauthorized access (unauthorized access) to information created and stored in computer systems (CS).

One of the key tasks of protecting information processed in the CS is the implementation of access control (delimiting access policy) to resources (to file objects, OS registry objects, devices, clipboard, network resources, etc.).

A universal solution in terms of protecting information from theft, both by authorized users (insiders) and as a result of external attacks, including network attacks, is the introduction of information processing modes (sessions) on a computer, in particular, determined by the level of confidentiality of the data being processed information (open, confidential, etc.), although there may be other principles for appointing sessions. The idea of implementing protection is to completely isolate the processing of information in various sessions, provided by preventing any possibility of transferring information between sessions.

The effect of increasing the security level of processing critical (confidential) information on a computer, where open information is also processed, is achieved due to the fact that the probability of receiving unauthorized access to information in an open session is an order of magnitude higher than in a confidential session characterized by other access rights to resources computer and corporate network. The rationale for this approach to information protection is presented in the works [Scheglov K.A., Scheglov A.Yu. Protection against attacks from applications endowed with malicious functions. Access Control Models // Information Security Issues. - Moscow: VIMI, 2012 .-- Issue 99. - No. 4. - S.31-36; Scheglov K.A., Scheglov A.Yu. Protection against attacks on application vulnerabilities. Access Control Models // Information Security Issues. - Moscow: VIMI, 2013 .-- Issue 101. - No. 2. - S. 36-43].

When implementing session control of access, the main subject of access in the differentiation policy of subjects to objects is the entity “session”, in addition, entities “user” and “process” should act as access entities (for processes, in general, own access rights to objects) [Scheglov A.Yu. Protecting computer information from unauthorized access. - St. Petersburg: Science and Technology, 2004. - 384 p.]. Thus, the subject of access to resources in the delineation policy during the implementation of session access control should be defined by three entities "session, user, process".

At the same time, the same user (characterized by the same SID) on the same computer should generally be able to work in different sessions, i.e. with various access rights to resources (for example, process both open and confidential information, which is the case in practice).

An analysis of the literary sources and descriptions of the operation of modern OS, security features and applications allows us to note the following. Despite the reasonable effectiveness of session access control; in well-known tools that implement a delimiting policy of access to resources, the subject of access is not defined by three entities "session, user, process", which significantly limits their functionality, in terms of implementing effective protection of confidential information from unauthorized access.

Currently, various systems for controlling access to resources are known.

In the system of access control for resources, Patent No. 2207619 (G06F 13/00), it is possible to set access control for both users and processes, and independently from each other. However, this does not allow to implement session control of access to the resources of the COP.

Patent No. 2134931 (class H04L 9/32, G06F 12/14) describes a method for providing access to objects in the operating system based on the assignment of security labels to subjects and access objects, while for each object of the operating system they are formed in advance and then stored in memory signal label of the object, i.e. access rights to objects assigned as security labels. This does not allow to implement session control of access to the resources of the CS - it does not provide the ability to work for the same user with different access rights to resources (a security label is assigned to the user), it does not allow to take into account the essence of the process in the delimiting access policy.

Closest to the technical solution and chosen by the authors for the prototype is the resource access control system implemented in Microsoft Windows with the NTFS file system - access control for file objects, which uses file attributes (in particular, Security, to store file access rights (ACL) Descriptor - this attribute contains information about file protection: ACL access list and audit field, which determines what kind of operations on this file should be registered) [M. Russinovich, D. Solomon. Microsoft Windows internal device. - St. Petersburg: Peter, 2005 - 992 p. (Chapter 8, Fig. 8.5. An example of checking access rights)].

The system is presented in figure 1. The resource access control system comprises: a user identification block from request 1, an access object identification block and actions from request 2, a decision element block 3, access rule storage unit 4, the input of the user identification block from request 1 being connected to the input of the access object identification block and actions from request 2, with the first input of system 5, the output of the user identification block from request 1 is connected to the first input of the block of the decisive element 3, the second input of which is with the output of the access identification block and actions of query 2, the third input - to the output of the storage unit 4, the access rules, the first output - with output system 6, a second output - to the first input of access rule storing unit 4, the second input of which - to the second input 7 of the system.

The access control system for resources works as follows. From the second login to system 7, access rules 4 are set in the access rule storage unit 4, which determines which actions (read, write, execute, delete, etc.) on which resource (in this case, a file object) to which user (SID) allowed / forbidden. From the request for access to the resource arriving at the first input of system 5, the user identification unit from request 1 identifies the user (SID) that generated this request, and the access object and action identification unit from request 2 identifies which resource (file object) it requested user access, and what actions (reading, writing, etc.) on the resource are requested by the user. Upon request from the second output of the block of the decisive element 3, allowed / forbidden access rules of the user identified by block 1 to the resource identified by block 2 are issued to this block from the storage block of access rules 4. The block of the decisive element 3 analyzes the requested actions of the user on the resource for consistency with the given rules, as a result of this analysis gives a control signal to the output of the system 6, allowing (recognizing it authorized) or prohibiting (recognizing it not authorized) subsequent processing of the analyzed request for user access to the resource .

A prototype that implements access control to resources has fundamental shortcomings that limit the possibility of its use in the implementation of session access control:

- cannot differentiate user access rights to resources when working in various modes (sessions) - allows to differentiate access rights to resources exclusively between different users;

- cannot differentiate the access rights of processes to resources, all processes executed by the same user inherit the access rights of the user who launched them (the entity “process” is not used in the differentiation policy of access to resources);

- as a result, the system cannot be used to implement session control of access to resources, in which the access subject must be defined by three entities "session, user, process".

The present invention solves the problem of expanding the functionality of the access control system for resources, by implementing session control of access to resources, in which the access subject is defined by three entities "session, user, process".

In order to achieve a technical result, a resource access control system that implements a delimiting policy of user access to resources, comprising a user identification block from a request, an access object identification block and an action block from a request, a decision element block, an access rule storage block, and an user identification block input from the request is connected to the input of the identification block of the access object and the action from the request, with the first input of the system, the output of the user identification block from the request is connected the first input of the decision element block, the second input of which is the output of the access object identification unit and the action from the request, the third input is the output of the access rule storage unit, the first output is the first system output, the second output is the first input of the access rule storage unit, the second input of which is with the second input of the system, a process identification block from the request, a user identification and authentication block, a user session selection block, the input of the process identification block from the connection request, is additionally introduced n with the first input of the system, the output - with the fourth input of the deciding element block, the input / output of the user identification and authentication block is connected to the first input / output of the system, the input / output of the session selection block by the user - with the second input / output of the system, the third input of the selection block user session is connected to the second input of the user identification and authentication unit, with the second input of the system, the output of the user identification and authentication unit is connected to the sixth input of the deciding element unit, with the second input of the unit and selecting a session by a user whose first output is with the fifth input of the deciding element block, the second output is with the second output of the system.

New in the present invention is the provision of a resource access control system that implements a delineating policy of user access to resources, a process identification block from a request, a user identification and authentication unit, a user session selection unit and their connections.

As a result of the analysis of the prior art by the applicant, including a search by patent and scientific and technical sources of information and identification of sources containing information about analogues of the claimed technical solution, no source was found characterized by features identical to all the essential features of the claimed technical solution. The determination from the list of identified analogues of the prototype as the closest analogue in terms of the totality of features made it possible to establish the set of distinguishing features essential to the applicant’s technical result of the claimed system of session control of access to resources. Therefore, the claimed technical solution meets the criterion of "novelty."

An additional search carried out by the applicant did not reveal known solutions containing features that match the distinctive features of the claimed system of session control of access to resources that are distinct from the prototype. The claimed technical solution does not follow for the specialist explicitly from the prior art and is not based on a change in quantitative characteristics. Therefore, the claimed technical solution meets the criterion of "inventive step".

The set of essential features in the present invention made it possible to expand the functionality of the access control system for resources by implementing session control of access to resources, in which the access subject is defined by three entities "session, user, process".

As a result, we can conclude that:

- the proposed technical solution has an inventive step, because it does not explicitly follow from the prior art;

- the invention is new, since the prior art on available sources of information did not reveal analogues with a similar set of features;

- the invention is industrially applicable, as it can be used in all areas where implementation of access control (access rights delimitation) to resources is required.

The invention is illustrated by the drawing shown in Fig.2.

The inventive system of session control of access to resources contains a user identification block from request 1, an access object identification block and actions from request 2, a process identification block from request 3, user identification and authentication block 4, session selection block by user 5, decision block 6, a block for storing access rules 7, wherein the input of the user identification block from request 1 is connected to the input of the identification block of the access object and the action from request 2, with the input of the process identification block from dew 3, with the first input of system 8, the output of the user identification block from request 1 is connected to the first input of the block of the deciding element 6, the second input of which is with the output of the access object identification block and actions from request 2, the third input is with the output of the access rules storage block 7, the first output is with the first output of the system 12, the second output is with the first input of the access rule storage unit 7, the second input of which is with the second input of the system 9, the fourth input of the decision block 6 is connected to the output of the process identification unit from request 3, heel the first input is with the first output of the session selection block by user 5, the second output of which is with the second output of system 13, the input / output of the identification and authentication block of user 4 is connected to the first input / output of the system 10, the input / output of the session selection block by user 5 is connected to the second input / output of the system 11, the third input of the session selection block by user 5 is connected to the second input of the identification and authentication unit of user 4, with the second input of system 9, the output of the identification and authentication block of user 4 is connected to the sixth input of the unit as a decisive element 6, with the second input of the session selection block by user 5.

Consider the operation of the session control system for access to resources. From the second login to system 7 (system administration login), the administrator identifies the user ID and password (for local and remote authorized user login to the system) in the user identification and authentication unit 4, in the session selection unit by user 5 for each user (user ID, in this case, determined by its SID), the administrator sets the identifier (corresponding to the identifier defined for the user in block 4) and the user password (password in general tea may differ from the password set for logging into the system), the sessions (modes) in which the identified user can work, and the rules for changing the session (mode) for the user, for example, arbitrarily, or only to increase the level of session privacy, respectively , only lows, etc. (depends on the implemented principles for the appointment of the session). A session can be specified by appropriate transcription (semantic designation) with its subsequent translation for storage and processing into a numerical value - security label or credential. If necessary, the corresponding security label - mandate (for example, setting the maximum level of confidentiality of the session in which the user can work) can be set in block 4 from input 9.

In the storage block for access rules 4 from input 9, the administrator sets access rules.

Comment. When implementing access control to files created during the operation of the system, access rules from input 9 to the created file are set in block 4 not by the administrator, but by the automatic file marking system. In general, access rules from input 9 can be set both by the administrator (manual marking of files) and the system of automatic marking of files when they are created.

The entity “session, user, process” is used as the subject of access in the system, i.e. these rules determine what actions (read, write, execute, delete, etc., the rules depend on the physical characteristics of the resource to which access control is implemented, for example, for a printer - to enable or disable printing, for a network resource - set connection to some address, port, protocol, transmit information, receive information, for the clipboard is writing / reading to / from the clipboard / a clipboard, etc.) over which resource (resource identifier, again depends on the physical resource features), in which session, to whom the user (the SID), when you access any process (application) - identified polnoputevym name (application) process executable file, enabled / disabled. When assigning an access subject, both an exact pointer and an enumeration, masks, environment variables can be used. Examples of the job of the access subject are given in Table 1 (note, these are just examples illustrating the possibilities, and not listing all the possibilities) of the destination of the access subject.

Table 1 Examples of job of the access subject in the system of session control of access to resources Example Session entity User entity The essence of the "Process" one Confidentially User 1 C: / Program Files / Internet file: //Explorer/Iexplore.exe 2 * User 1 C: / Program Files / * 3 Confidentially * * four Confidentially User 1, User 2 * 5 Open, confidential User 2 C: / * 6 * * C: / Program Files / Internet Explorer / Iexplore.exe 7 - * *

In example 1, all entities are precisely defined, in example 2, the access subject is defined to set the access rules for user 1 when accessing resources by a process (application) launched from the C: / Program Files folder when working in any session, example 3 as only the session is determined by the access subject, example 4 differs in that it lists specific users for a certain session, in rule 5, on the contrary, sessions are listed - the rules will set access restrictions for User 2, the same for both ssy, in Example 6, the subject is given access only to the process (the application) - for all sessions for all users, an example 7 is given by one of the possible options for a subject for the case of access (at the time), when the user session was not selected (non-selected).

Comment. Thus, the system allows to delimit access only between sessions, only between users, only between processes, and also between any sets of entities - “session”, “user”, “process”, in general, between the entities “session, user, process” .

When a user logs on locally or remotely to the system, the user is authenticated by block 4 - the user from input / output 10 is asked to enter his identifier and secret word (password) into block 4 from input / output 10. Upon successful authentication of the user by block 4, the user's identification data (his SID), if necessary, the user's security label (credentials) (maximum allowed session privacy level for the user) by block 4 are issued to the second input of block 5, which the user is invited from input / output 11 to identify yourself - enter the identifier and password, for the subsequent selection of the session. This need is due to the fact that several users can be registered in the system at the same time - at the same time log into the system. At the same time, the identity of the user (his SID) is transmitted by block 4 to block 6. Until the user selects a session from the first output of block 5, the processing of access requests received by this user from the input 8 to the system from block 8 will be carried out by block 6 according to the rules set for processing access requests without selecting a session by the user (the access subject can, for example, be set, as in example 7, see table 1). This is necessary to implement the minimum necessary access rights for the correct operation of the OS and the necessary applications until the user selects a session.

After successful user authentication, the user will be prompted to select a session from login 11. The sign of the session selected by the user (the user identifier and the identifier of the session selected by him) from block 5 is sent to block 6, allowing the system to process requests for access to resources from this user in the mode of the session selected by him (with the rules for controlling access to resources specified for this session).

If the user has previously selected a session and he wants to change it, the user issues a request from input / output 11 to block 5, authenticates himself (enters the identifier and password) and requests a session change (defines a new session for himself). If the requested session change does not contradict the session change rules specified by the administrator in block 5, block 5 changes the user session by issuing the user ID and the identifier of the session selected for him in block 6 - as a result, the rules for controlling access to resources for the new user come into effect of his chosen session.

At the initial selection and when the user changes the session, the output of the system 13 by block 5 gives control information about the selection or change of the session for the user (session identifier). This information can be used by other systems that accompany the user’s work when implementing session control of access to resources. In particular, when a user selects or when a user changes one session to another (taking into account the features of the sessions), it may be necessary to mount (unmount) any devices on the system, clear the freed areas of the RAM (residual information), clear the clipboard, etc. d.

If the session requested by the user (both during the initial selection and during the change) is prohibited to the user, then the user is informed about this by the block 5 from the input / output of the system 11, the selection, accordingly, the session is not changed in the system.

From the request for access to the resource arriving at the first input of system 8, the user identification unit from request 1 identifies the user (SID) that generated this request, the access object identification and action block from request 2 identifies which resource (by its identifier, for example , the user requested access to the file object by its full path name, and what actions (reading, writing, etc.) were requested by the user on the resource, the process identification block from request 3 identifies the process (by the full path and its executable file), which the user requests access to a resource. These identifiers (from blocks 1, 2, 3) go to the corresponding inputs of the block of the decisive element 6, which also at this point in time has information about the session selected by the user (see above), or about the absence of the user's choice of the session.

Upon request from the second output of the block of the decisive element 6, the access rules set by the administrator for the access subject defined by the entity "session, user, process" (for identified sessions, user, process) to the resource identified by block 2 are issued to this block from the storage block of access rules 7 . The block of the decisive element 6 analyzes the requested actions of the user on the resource for consistency with the given rules, as a result of this analysis gives a control signal to the output of the system 12, allowing (recognizing the access request as authorized) or prohibiting (recognizing it as not authorized) subsequent processing of the analyzed request for user access to resource.

Comment. Access control can be based both on the implementation of discretionary and on the implementation of mandatory access control. For example, mandatory control can be implemented both between session entities and between user entities (and between a combination of these entities - in this case, a security label is assigned to both users and sessions, and in block 5 it is set which maximum session label is allowed for the user ), in addition to the mandatory one, discretionary control of access to resources can be implemented, for example, for the entity process.

Mandatory access control in the general case is understood as a method of processing requests for access to resources based on a formal comparison, in accordance with defined rules, of security labels (credentials) assigned to subjects and objects of access (in general, groups of subjects and objects). Security labels, as a rule, are elements of a linearly ordered set M = {M1, ..., Mk} and serve to formalize any properties of subjects and objects.

Access control is implemented on the basis of defined rules that determine the linear order relation on the set M, where for any pair of elements from the set M one of the types of relations is defined: greater, less, equal (in practice, the choice is made of a subset of M isomorphic to a finite subset of natural numbers the choice makes arithmetic comparison of security labels natural). The rules for comparing labels are also assigned from any properties of subjects and objects, as applied to the current task of protecting information from unauthorized access in the CS.

The widest practical use of the credential method has been found to be the practice of secret paperwork in computer processing of information. The basis for the implementation of the processing of categorized information is the classification of information by level of confidentiality. Object security labels reflect the confidentiality category of information that can be stored in the respective objects. The security labels of the subjects reflect the powers (by analogy with the admission form) of the subjects, in terms of access to information of various levels of confidentiality. Here, it is advisable to consider the entities “session” and “user” under the subjects to which security labels can be assigned, while the set of labels — sessions that the user can choose when interacting with block 5 should contain labels that do not exceed the security label in terms of privacy assigned by the administrator to the user (having a numerical value no more, see below).

We assume that the higher the subject’s authority and the level of confidentiality of the object, the lower their sequence number in linearly authoritatively ordered sets of subjects and objects - C = {C1, ..., Ck} and O = {O1, ..., Ok}, the lower the value safety labels Mi, i = 1, ... k are assigned to them, i.e.: M1 is less than M2 is less than M3 is less ... is less than Mk.

Thus, as the accounting information of subjects and access objects, in addition to their identifiers - names, each subject and object (resource) are assigned security labels from the set M.

We introduce the following notation:

- Ms - security label of the subject (group of subjects) of access;

- Mo - security label of the access object (group of objects).

In practice, for mandatory access control, which is used to protect against information privacy violations, the following access control rules are widely used, which in this case must be set by the administrator in block 7 (accordingly, the administrator in the label system is assigned to the subjects (session and user) and access objects - resources):

1. Subject C has access to object O in the ″ Read ″ mode if the condition is met: MS is not more than Mo.

2. Subject C has access to object O in ″ Recording ″ mode if the condition is met: Ms is Mo.

3. In other cases, access of subject C to object O is prohibited.

However, other rules are also possible, for example, rules for completely isolating the processing of information at various levels of confidentiality, or when users perform different roles in the CS (non-hierarchical labels):

1. Subject C has access to object O in the ″ Read ″, “Write” mode if the condition is met: Ms is Mo.

2. In other cases, access of subject C to object O is prohibited.

Let us evaluate the achievement of the goal - the solution to the problem of expanding the functionality of the access control system for resources by implementing session control of access to resources in which the access subject is defined by three entities "session, user, process".

1. Can differentiate user access rights to resources when it is working in various modes (sessions).

2. Can differentiate access rights of processes to resources, processes executed by the same user, various rules for access to resources can be assigned in the system.

3. As a result, the system can be used to implement session control of access to resources, in which the access subject must be defined by three entities “session, user, process”.

4. The system can be used to implement access control to resources, where any of the three entities: “session, user, process”, or any combination (combination) of these entities can act as an access subject.

5. When implementing session-based access control, both discretionary and credential (based on security labels - credentials) differentiating access policies for resources can be implemented.

The invention is industrially applicable in terms of the possibility of technical implementation of the blocks included in the system.

The technical implementation of all units of the system is based on standard solutions for storing and processing data, for processing data (including their selection), stored in tables. All used blocks are technically feasible, and their implementation is achieved by standard means.

This decision was tested by the applicant when building a prototype of a means of protecting computer information.

Thus, in the present invention solved the problem of expanding the functionality of the access control system for resources, by implementing session control of access to resources, in which the access subject is defined by three entities "session, user, process".

Given the current level of development of computer technology, it is technically feasible.

Claims (1)

A system for session control of access to resources, comprising a unit for identifying a user from a request, a unit for identifying an access object and actions from a request, a block for a deciding element, a block for storing access rules, the input of a unit for identifying a user from a request connected to the input of the unit for identifying an access object and an action from a request , with the first input of the system, the output of the user identification block from the request is connected to the first input of the deciding element block, the second input of which is with the output of the object identification block up to stupa and actions from the request, the third input - with the output of the access rule storage unit, the first output - with the first output of the system, the second output - with the first input of the access rule storage unit, the second input of which is with the second input of the system, characterized in that additionally introduced: a process identification block from a request, a user identification and authentication block, a session selection block by a user, the input of the process identification block from the request being connected to the first input of the system, the output to the fourth input of the deciding element block , the input / output of the user identification and authentication unit is connected to the first input / output of the system, the input / output of the session selection unit by the user is connected to the second input / output of the system, the third input of the session selection unit by the user is connected to the second input of the user identification and authentication unit, system input, the output of the user identification and authentication unit is connected to the sixth input of the deciding element block, with the second input of the session selection block by the user, the first output of which is with the fifth input of the p block Collapsing element, the second output - to the second output of the system.

Images